Shulou(Shulou.com)06/03 Report--

This article introduces HTML5 to effectively improve the security of iFrame and what is the new Sandbox attribute. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

HTML 5 will add a sandbox attribute to the iframe element to prevent untrusted Web pages from performing certain actions. Ian Hickson, editor of the HTML 5 specification, talks about the benefits of sandbox, which prevents the following:

◆ accesses the DOM of the parent page (technically, this is because iframe has become a different source than the parent page)

◆ executes script

◆ embeds its own form or manipulates it through scripts

◆ read and write to cookie, local storage, or local SQL database

The revision history page of HTML 5 also mentions other features of sandbox:

◆ disables plug-ins

◆ forbids navigation of other browsing contexts

◆ disables pop-up windows and modal dialogs

◆ iFrames is notorious for security issues, mainly because iFrames is often used to embed third-party content, which may perform some malicious actions.

◆ sandbox improves the security of iFrames by restricting the operations allowed by embedded content. This approach separates the sandboxed content from the parent page, thus limiting the permissions of the embedded content.

Along with sandbox comes its MIME type: text/html-sandboxed. Hickson said:

Using HTML5 to build the next generation of Web Form

Preview of the latest technology of HTML5 standard

HTML5 feature enhancements Adobe release AIR2.0 test version

The release of HTML5 web page 3D technical standard does not require a plug-in.

A preliminary study of HTML5 File API supports file drag-and-drop upload

The text/html-sandboxed MIME type ensures that users do not access untrusted content. It consists of two parts: first, if the user accesses the page directly, the browser cannot render those pages that have the text/html-sandboxed MIME type. This is currently supported by all browsers, which download the tags of the page but do not render the page Second, browsers that support the sandbox attribute need to render iframes of type text/html-sandboxed MIME (but subject to the permissions set in the sandbox property). So far, no browser has done this, and neither has Google Chrome (it renders the parent page, but downloads the iframe content instead of rendering it in iframe). Therefore, it is not possible to use this technology at this time unless Google updates Chrome to support this (in theory, other browser vendors will implement this technology after implementing support for the sandbox attribute, let's wait and see).

Currently, only Google Chrome 4.0 using sandbox,Firefox, IE8, and Safari has not yet implemented this, but it is believed that these browsers will soon do so. A lot has happened around the HTML 5 element. Google implements it through the H.264 standard, while other browsers use different standards or haven't implemented it at all. But that's not going to happen here, because each browser is free to decide internally how to implement sandbox. But even if all the major browsers adopt sandbox tomorrow, many developers and content managers will not be able to use it right away, because there are so many legacy browsers that will ignore this attribute, so it is safe to take conventional security measures to protect iFrames.

So much for HTML5 to effectively improve the security of iFrame and what the new Sandbox attributes are. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.